如何检测“IAP破解者”?
我发现许多用户使用所谓的“IAP破解程序”而不是在应用内购买(IAP)中购买商品。我还了解到,Zynga Poker 和 Pokerist 已经检测到 IAP 破解者并防止假 IAP。我想检测哪部手机正在使用 IAP 破解程序。对于 Cydia 黑客工具,我可以通过应用程序路径找到它。
但我不相信 iAP 破解者属于特定的应用程序。我想我可以通过调用“Url Scheme”来检查,但我不知道名称。有谁知道怎么办吗?
I found out that many users use so-called "IAP crackers" instead of purchasing the items in in-app purchase (IAP). I also learned that Zynga Poker and Pokerist already detect IAP crackers and prevent the fake IAP. I would like to detect which phone is using IAP cracker. For Cydia hacking tool, I could find it with Application path.
But for I don't believe iAP crackers fall into specific applications. I think I can check that by calling "Url Scheme" but I don't know the name. Is there anybody who knows how?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
目前最好的解决方案似乎是使用外部服务器验证 IAP 交易,然后发回某种特定于设备的密钥来解锁只能在该服务器上生成的付费项目。这并不是万无一失的,但它应该使您的应用程序对任何通用 IAP 破解系统具有高度抵抗力;想要破解您的应用程序的人几乎必须专门为其开发破解程序。 (这要复杂得多,远远超出了大多数使用 IAP Cracker 的人的能力范围)
这就是您基本上需要做的:
(请参阅下面编辑后的文本,了解您需要的一些额外验证现在按步骤做3)
在您的情况下,由于您的应用程序已经被破解,并且您正在尝试停用非法获取您的 IAP 项目的人,因此您可以在应用程序的新版本中推出此功能,然后调用第一次运行新版本时,restoreCompletedTransactions 可以为您的合法用户重新验证/重新激活购买并阻止其他人。
然而,我应该补充一点,这是一项大量的工作 - 我们花了几周的程序员时间才使其顺利运行,尽管现在有开源代码可以处理大部分工作步骤 2 和 3 适合您。重新激活步骤还存在支持和公关成本 - 不可避免地,有些人会更改 iTunes 帐户或没有互联网连接或类似的东西,他们可能会非常生气,甚至短暂地无法访问他们合法支付的东西。
您需要权衡是否真的值得在这方面投入时间,因为该破解仅适用于越狱用户(因此大约 90% 的潜在客户不受影响),并且大多数安装它的人不太可能为您的应用程序付费反正;不要被破解您的应用程序的用户数量吓到,许多人会很乐意免费下载一些东西,即使他们从不付费。您最好将时间投入到有利于合法用户的改进上(并鼓励更多人购买您的应用程序)。
编辑 一年后,这仍然(大部分)准确,但是为了处理今天宣布的拦截然后重新发送真实收据的新破解,服务器端现在需要做更多的工作。 (幸运的是,如果您已经设置了验证服务器,您应该能够在不更新应用程序的情况下执行此操作)两个新要求:
1)检查解密收据中的产品 ID(应用程序 ID 和 IAP 产品 ID)你从苹果服务器返回的内容实际上与用户正在购买的产品相匹配。
2) 通过保留先前使用的交易 ID 的日志,检查收据中的交易 ID(或恢复收据的恢复交易 ID)以前从未使用过。
不过,即使现在非越狱用户也可以使用 IAP 破解,我的基本观点仍然是,这可能比它的价值更麻烦——为了节省你在实现和维护一批完全无趣的代码上所花费的时间。 ,你需要从那些不愿意为你的产品付费的人们那里获得大量的额外销售,以至于他们愿意大幅损害 iPhone 的安全以避免这样做。
The best solution at the moment seems to be verifying IAP transactions using an external server, then sending back some sort of device-specific key to unlock the paid item that can only be generated on that server. This isn't bulletproof, but it should make your app highly resistant to any general-purpose IAP cracking system; someone who wanted to crack your app would pretty much have to develop a crack specifically for it. (which is far more complicated, well beyond the reach of most of the people using IAP Cracker)
Here's what you'd basically need to do:
(see text after EDIT below for some extra verification you need to do now in step 3)
In your case, since your app has already been cracked and you're trying to deactivate people who obtained your IAP item illicitly, you'd push this functionality out in a new version of your app, then call a restoreCompletedTransactions the first time the new version was run to re-validate / reactivate purchases for your legitimate users and block everyone else.
I should add, however, that this is a LOT of work - took us a couple of weeks of programmer time to get it operating smoothly, though there's open-source code floating around now that will handle most of steps 2 and 3 for you. There's also a support and PR cost to that reactivation step - inevitably some people will have changed iTunes accounts or be without an internet connection or something like that and they'll probably be pretty ticked off to even briefly lose access to something they legitimately paid for.
You need to weigh whether it's really worth investing the time in this, when the crack is only available to jailbreak users (so something like 90% of your potential customers are unaffected) and most of the people installing it were unlikely to pay for your app anyway; don't be scared by the sheer numbers of users cracking your app, many people will happily download something for free even if they'd never pay for it. You would probably be better off putting your time into improvements that benefit legitimate users (and encourage more of them to buy your app).
EDIT A year later this is still (mostly) accurate, but to deal with the new crack announced today that intercepts and then re-sends genuine receipts, there's now a bit more work needed on the server side. (fortunately, if you already have a verification server set up you should be able to do this without updating your app) Two new requirements:
1) Check that the product IDs (both the application ID and the IAP product one) in the decrypted receipt you get back from Apple's server actually match the product that the user is purchasing.
2) Check that the transaction ID in the receipt (or the restore transaction ID for a restore receipt) has never been used before, by keeping a log of previously used transaction IDs.
Even with IAP cracking available to non-jailbroken users now, though, my basic point remains that this may be more trouble than it's worth - to make back the amount of time you'll spend implementing and maintaining a thoroughly un-fun batch of code, you'd need to get a LOT of extra sales from people who were, after all, so disinclined to pay for your product that they were willing to massively compromise their iPhone's security in order to avoid doing so.
我刚刚在 BinPress 上发现了一个价值 20 美元的组件,声称可以为您提供这种保护。事实上,正是阅读他们的描述促使我搜索 IAP Cracker 并让我想到了这个问题!
从快速阅读描述来看,似乎值得尝试至少作为这些攻击的廉价屏障。
此组件提供针对绕过应用内购买并免费解锁优质内容的工具的保护,例如最流行的“iAP Cracker”。保护是通过我们服务器上托管的收据验证服务进行管理的。它具有针对破解工具的经过验证的安全性和可靠性,并且旨在尽可能轻松地为开发人员集成。
“应用内购买验证”适用于那些不维护服务器的人并且希望避免自己管理购买验证 – 这可以节省大量时间:实现它就像插入几行额外的代码一样简单(见下文)。从那时起,服务器将发挥其魔力,它将通过 Apple 服务器验证每张收据。它还将为您提供购买次数。
I just found a $20 component on BinPress that claims to provide this protection for you. In fact, it was reading their description that prompted me to search for IAP Cracker and led me to this question!
From a quick read through the description it seems worth trying at least as a cheap barrier to these attacks.
This component provides protection against tools that bypass in-app purchases and unlock premium content for free, such as the most popular 'iAP Cracker'. Protection is managed via a hosted receipt verification service hosted on our servers. It comes with both proven security and reliability against cracking tools and is meant to be as easy as possible to integrate for the developer.
'In-app purchase verification' is for those who don't maintain a server and want to avoid managing purchase verification themselves – it's a huge time saver: Implementing it is as easy as inserting a few extra lines of code (see below). From then on, the server will do its magic and it'll verify each receipt with an Apple server. It'll also provide you with a count of purchases made.
Apple 在这里指出了这个问题:iOS 上的应用内购买收据验证< /a>
正如文中所述,在交易完成后验证您的交易,您应该没问题(希望如此)。
Apple stated this problem here: In-App Purchase Receipt Validation on iOS
As described in the text, validate your transactions after they have completed and you should be fine (hopefully).
您应该尝试 system("dpkg -l | grep iapCracker > /var/tmp/logiap.txt");然后用 logiap.txt 的内容填充 NSString 并检查该字符串是否包含某些内容。但我不知道苹果是否允许你这样做;)
You should try system("dpkg -l | grep iapCracker > /var/tmp/logiap.txt"); then fill a NSString with the content of logiap.txt and check if the string cointain something. But I don't know if apple allow you to do this ;)
要检测 IAP Cracker,您只需使用
NSFileManager检查已安装的软件包即可。我已经用 Cydia 尝试过检测越狱,效果很好。由于 Cydia 会自动安装在每个越狱设备上,因此您可以像这样检查是否越狱:
IAP Cracker 只是一些软件包,它也安装在您的系统中,您也可以检查它。
有人知道它是否违反了苹果的一些指导方针吗?
To detect IAP Cracker you can simply check for installed package with
NSFileManager. I've tried it with Cydia to detect a jailbreak and it works fine.As Cydia is automaticly installed on every jailbroken device, you can check for Jailbreak like this:
IAP Cracker is just some package, that is also installed in your system, you can check for it too.
Does anybody knows if it's violating some Apple guidelines?
@Morpheus2002 编写的 NSFileManager 方法对我不起作用,并且可能违反了 Apple 的准则。要检查 Cydia 是否已安装以及设备是否越狱,您可以检查是否可以按照 @MarkJohnson 的建议打开
cydia://homeURL 方案:The
NSFileManagermethod, written by @Morpheus2002 was not working for me, and might be violating Apple's guidelines. To check if Cydia is installed and therefore if the device is jailbroken, you can check if you can opencydia://homeURL scheme as suggested @MarkJohnson:本周(2015 年 5 月)将在应用程序中提交此内容。所以看看苹果是否批准
Will be submitting this in an app this week (May 2015). So will see if Apple approves